phishing tales honestly the problem is this big n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Phishing Tales: Honestly, the problem is ‘this big’ PowerPoint Presentation
Download Presentation
Phishing Tales: Honestly, the problem is ‘this big’

Loading in 2 Seconds...

play fullscreen
1 / 30

Phishing Tales: Honestly, the problem is ‘this big’ - PowerPoint PPT Presentation


  • 151 Views
  • Uploaded on

Phishing Tales: Honestly, the problem is ‘this big’. Peter Black, Queensland University of Technology p2.black@qut.edu.au http://freedomtodiffer.typepad.com/. Outline. Phishing explained Definition Case studies Why the ‘ph’? Growth of phishing Australian legislation US position

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Phishing Tales: Honestly, the problem is ‘this big’' - manny


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
phishing tales honestly the problem is this big

Phishing Tales:Honestly, the problem is ‘this big’

Peter Black, Queensland University of Technology

p2.black@qut.edu.au

http://freedomtodiffer.typepad.com/

outline
Outline
  • Phishing explained
    • Definition
    • Case studies
    • Why the ‘ph’?
  • Growth of phishing
  • Australian legislation
  • US position
  • Difficulties with a legislative response
  • Other methods of combating phishing
1 phishing explained
1. Phishing explained
  • Phishing is the creation and use of e-mails and websites in order to deceive internet users into disclosing their bank and financial account information or other personal data.
  • Once this information is obtained, it then used to commit fraudulent acts.
case study westpac
Case study: Westpac
  • Source: Anti-Phishing Working Group

<http://www.antiphishing.org/phishing_archive/05-03-04_Westpac_(Westpac_Bank_users_warning).html>

case study westpac1
Case study: Westpac
  • Source: Anti-Phishing Working Group

<http://www.antiphishing.org/phishing_archive/05-03-04_Westpac_(Westpac_Bank_users_warning).html>

case study westpac2
Case study: Westpac
  • Source: Anti-Phishing Working Group

<http://www.antiphishing.org/phishing_archive/05-03-04_Westpac_(Westpac_Bank_users_warning).html>

other targets internet services
Other targets: Internet services
  • Source: Anti-Phishing Working Group

<http://www.antiphishing.org/phishing_archive/25-10-04_MSN(Your_membership_will_be_cancelled)/25-10-04_MSN(Your_membership_will_be_cancelled).html>

other targets internet services1
Other targets: Internet services
  • Source: Anti-Phishing Working Group

<http://www.antiphishing.org/phishing_archive/25-10-04_MSN(Your_membership_will_be_cancelled)/25-10-04_MSN(Your_membership_will_be_cancelled).html>

other targets online commerce sites
Other targets: Online commerce sites
  • Source: Anti-Phishing Working Group

<http://www.antiphishing.org/phishing_archive/01-31-05_Amazon/01-31-05_Amazon.html>

other targets online commerce sites1
Other targets: Online commerce sites
  • Source: Anti-Phishing Working Group

<http://www.antiphishing.org/phishing_archive/01-31-05_Amazon/01-31-05_Amazon.html>

other targets online commerce sites2
Other targets: Online commerce sites
  • Source: Anti-Phishing Working Group

<http://www.antiphishing.org/phishing_archive/01-31-05_Amazon/01-31-05_Amazon.html>

other targets search engines
Other targets: Search engines
  • Source: millersmiles.co.uk: the web’s dedicated anti-phishing service

<http://www.millersmiles.co.uk/report/878>

charities united way
Charities: United Way
  • Source: millersmiles.co.uk: the web’s dedicated anti-phishing service

<http://www.millersmiles.co.uk/report/1201>

why phishing with a ph
Why phishing with a ‘ph’?
  • The word ‘phishing’ is derived from the analogy that internet scammers use email lures to ‘fish’ for passwords and financial information from the ‘sea’ of internet users.
  • The term was first used in 1996 by hackers attempting to steal America On-line (AOL) accounts.
2 growth of phishing
2. Growth of phishing
  • Source: Anti-Phishing Working Group: Phishing Activity Trends Report May 2006

<http://www.antiphishing.org/reports/apwg_report_May2006.pdf>

phishing sites hosting countries
Phishing sites hosting countries
  • Source: Anti-Phishing Working Group: Phishing Activity Trends Report May 2006

<http://www.antiphishing.org/reports/apwg_report_May2006.pdf>

economic impact of phishing
Economic impact of phishing
  • The dollar damage from phishing is substantial.
  • Estimates of the loss to the consumer and online commerce being between:
    • $500 million a year (Ponemon Institute 2004); and
    • $2.4 billion in 2003 (Gartner 2004).
  • Phishing also exacts a significant toll on individual consumers.
    • See Jennifer Lynch, ‘Identity Theft in Cyberspace: Crime Control Methods and Their Effectiveness in Combating Phishing Attacks’(2005) 20 Berkeley Technology Law Journal 259 at 266-67.
3 australian legislation
3. Australian legislation
  • Phishing could be criminally prosecuted under state legislation that deals with identity theft and fraud:
    • Crimes Act 1958 (Vic): obtaining property by deception (s 81(1)), and obtaining financial advantage by deception (s 82);
    • Crimes Act 1900 (NSW): obtaining money by deception (s 178BA), obtaining money by false or misleading statements (s 178BB), obtaining credit by fraud (s 178C), false pretences (s 179), and fraudulent personation (s 184);
    • Criminal Code 1899 (Qld): misappropriation (s 408C);
    • Criminal Code (WA): fraud (s 409(1));
australian legislation
Australian legislation

continued …

  • Criminal Code Act 1924 (Tas): dishonestly acquiring a financial advantage (s 252A(1)), and inserting false information on data (s 257E);
  • Criminal Code 2002 (ACT): obtaining financial advantage by deception (s 332), and general dishonesty (s 333);
  • Criminal Code (NT): criminal deception (s 227);
  • Criminal Law Consolidation Act 1935 (SA): false identity (s 144B), and misuse of personal identification information (s 144C).
criminal code act 1995 cth
Criminal Code Act 1995 (Cth)
  • Part 10.8 of the Criminal Code Act, s 480.4 provides:

A person is guilty of an offence if the person:

    • dishonestly obtains, or deals in, personal financial information; and
    • obtains, or deals in, that information without the consent of the person to whom the information relates.

Penalty: Imprisonment for 5 years.

other relevant commonwealth legislation
Other relevant Commonwealth legislation
  • SpamAct2003 (Cth);
  • Trade Practices Act 1974 (Cth);
  • Privacy Act 1988 (Cth);
  • Trade Marks Act 1995 (Cth).
4 us position
4. US Position
  • Federal offences:
    • Identity theft (18 U.S.C. 1028 (2000));
    • Wire fraud (18 U.S.C. 1343 (2000 & Supp. II 2002));
    • Access device fraud (18 U.S.C. 1029 (2002));
    • Bank fraud (18 U.S.C. 1344 (2000)).
  • Internet users are also protected by the:
    • Truth in Lending Act (15 U.S.C. 1643(a)(1) (2000)); and
    • Gramm-Leach-Bailey Act (15 U.S.C. 6821(b) (2000)).
us position
US Position
  • The Identity Theft Penalty Enchancement Act, enacted in 2004, established a new crime of ‘aggravated identity theft’ – using a stolen identity to commit other crimes.
  • Most states have criminal and consumer protection laws that deal with identity theft.
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), enacted in 2003.
anti phishing act of 2005
Anti-Phishing Act of 2005
  • Anti-Phishing Act of 2005, a bill to create two new crimes that prohibit the creation or procurement of:
    • a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. 
    • an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.
5 difficulties with a legislative response
5. Difficulties with a legislative response
  • Phishing is difficult to deter as the normal barriers to offline crime do not apply.
  • Phishers are able to appear and disappear remarkably quickly, making their identification and prosecution difficult.
  • Jurisdictional issues.
  • Phishers are often found to be judgment proof.
6 other methods of combating phishing
6. Other methods of combating phishing
  • Information security technology solutions:
    • Strong website authentication;
    • Mail server authentication,;
    • Digital signatures and/or gateway verification.
  • Internet users should also use spam filters on email, anti-virus software and personal firewalls.
6 other methods of combating phishing1
6. Other methods of combating phishing
  • Internet users should look for signs that the email they have received is a phishing email:
    • deceptive addresses;
    • emails addressed to a generic name rather than a username;
    • unsuspected requests for personal information;
    • alarmist warnings;
    • mistakes.
conclusion
Conclusion
  • Issue:

legislation

vs

technology

  • Professor Lawrence Lessig has argued that architecture or ‘code’ is better than traditional law in cyberspace because law regulates ‘through the threat of ex post sanction, while code, in constructing a social world, regulates immediately’.
    • Lawrence Lessig, ‘The Constitution of Code: Limitations on Choice-Based Critiques of Cyberspace Regulation’, 5 CommLaw Conspectus 181, 184 (1997).
conclusion1
Conclusion
  • As we wait for technological improvements, companies and consumers need to be aware of the phishing threat and use existing technology and common sense to reduce the instances of successful phishing attacks.
  • If companies and consumers fail to respond, phishing will have caught us hook, line and sinker.
creative commons license
Creative Commons License

This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 2.5 Australia License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/au/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.